Real-Time Rogue Wireless Access Point Detection with the Raspberry Pi

Years ago, I worked for an automotive IT provider, and occasionally we went
out to the plants to search for rogue Wireless Access Points (WAPs). A
rogue WAP is one that the company hasn't approved to be there. So if
someone were to go and buy a wireless router, and plug it in to the
network, that would be a rogue WAP. A rogue WAP also could be someone
using a cell phone or MiFi as a Wi-Fi hotspot.

The tools we used were laptops with Fluke Networks' AirMagnet, at
the time a proprietary external Wi-Fi card and the software dashboard. The
equipment required us to walk around the plants—and that is never safe
due to the product lines, autonomous robots, parts trucks, HiLos, noise,
roof access and so on. Also when IT people are walking around with laptops,
employees on site will take notice. We became known, and the people with
the rogue WAPs would turn them off before we could find the devices.

The payment card industry, with its data security standard (PCI-DSS),
is the only one I could find that requires companies to do
quarterly scans for rogue WAPs. Personally, I have three big problems
with occasional scanning. One, as I said before, rogue WAPs get turned off
during scans and turned back on after. Two, the scans are just snapshots
in time. A snapshot doesn't show what the day-to-day environment looks
like, and potential problems are missed. Third, I think there is more value
for every company to do the scans, regardless of whether they're required.

Later, when I was a network engineer at a publishing company, I found it
was good to know what was on my employer's network. The company
wanted to know if employees followed policy. The company also was worried
about data loss, especially around a couple projects. Other
companies near us had set up their own wireless networks that caused
interference with the ones we ran. Finally, I had to worry about penetration
testers using tools like the WiFi Pineapple and the Pwn Plug. These
allow network access over Wi-Fi beyond the company's physical perimeter.

One thing I always wanted was a passive real-time wireless sensor
network to watch for changes in Wi-Fi. A passive system, like Kismet
and Airodump-NG, collects all the packets in the radio frequency (RF)
that the card can detect and displays them. This finds hidden WAPs too, by
looking at the clients talking to them. In contrast, active systems, like
the old Netsumbler, try to connect WAPs by broadcasting null SSID probes
and displaying the WAPs that reply back. This misses hidden networks.

A couple years ago, I decided to go back to school to get a Bachelor's
degree. I needed to find a single credit hour to fill for graduation. That
one credit hour became an independent study on using the Raspberry Pi
(RPi) to create a passive real-time wireless sensor network.

Today lots of wireless intrusion detection systems exist on the
market, but as listed in the Hardware sidebar,
mine cost me little more than $400.00 USD to make. Based on numbers I could
get, via Google Shopping, using Cisco Network's Wireless IDS data sheet
from 2014, a similar set up would have cost about $11,500 USD. I've
been told by a wireless engineer I know that he was quoted about twice that
for just one piece of hardware from the Cisco design.